RE: ssh and ids

Peter_Schawacker_at_NAI.com
Date: 06/22/04

  • Next message: Adam Powers: "Re: ssh and ids" 
    Date: Mon, 21 Jun 2004 19:44:14 -0700
To: <apowers@lancope.com>, <focus-ids@securityfocus.com>

    Hello Adam,

    I believe you are correct to say that there are no silver bullets when
    it comes to detection. However, I would point out that as of the end of
    July, McAfee's IntruShield network IPS will offer the ability to decrypt
    SSL traffic (using the server's private key) and therefore to detect and
    prevent encrypted attacks against web servers. To date this is the
    first and only network IDS to offer the ability to "pierce the veil" of
    encryption. Note that SSL decryption is available in both IDS and IPS
    modes.

    If anybody is interested in the specifics of how IntruShield inspects
    encrypted traffic there's a white paper available from
    http://www.nai.com/us/_tier2/products/_media/sniffer/wp_encr_th_prot.pdf
    ."

    Peter Schawacker, CISSP
    Technical Evangelist
    McAfee
    Office 760 200 4258
    Mobile 760 880 4258
    ps@nai.com

    -----Original Message-----
    From: Adam Powers [mailto:apowers@lancope.com]
    Sent: Friday, June 18, 2004 9:29 PM
    To: focus-ids@securityfocus.com
    Cc: Runion Mark A FGA DOIM WEBMASTER(ctr)
    Subject: Re: ssh and ids

    There is really no one full-proof answer to this question (that I'm
    aware of). Encryption remains the bane of network-based intrusion
    detection technologies.

    At the risk of speaking on behalf of such flow-based vendors as Arbor,
    Mazu, Q1, and (yes, my personal favorite) Lancope, I think some of the
    new behavioral traffic analysis technologies go a long way toward
    solving some of the problems presented by encryption technologies.

    <light details>
    By observing the duration of a "flow" (read: a TCP socket or series of
    related sockets) and the manner in which packets are exchanged over a
    "long duration" flow, a behavior-based system can pinpoint those
    connections that seem to be "out of the norm". During the baselining
    period, a behavior driven system observes connections attributes such as
    "duration" and "relative connectedness" to gain an understanding of the
    nature of the flows being created by a given network node. The
    flow-based, behavior-driven system should have the ability to discern
    between a AES gotomypc.com connection over TCP 443 and an automatic
    refresh connection to www.weather.com. The determination that "covert
    communications" are underway is done not through string matching or
    protocol anomaly but rather through the analysis of the flow attributes
    themselves (duration, packets sent/rcvd, pkt size, etc). Bottoms line:
    the magic is in the algorithms used to examine header traffic. Header
    traffic is not encrypted. </light details>

    The #1 defining attribute of flow-analysis techniques is that they
    typically DO NOT require use of payload data to determine the presence
    of an attack.

    As previously mentioned, there is no fool-proof plan... Flow-based
    technologies can be tricked... It just requires a much different science
    than that used by snot, sidestep, or encrypted shell shoveling.

    - AP

    On 6/18/04 2:18 PM, "Runion Mark A FGA DOIM WEBMASTER(ctr)"
    <mark.runion@us.army.mil> wrote:

    > Lets suppose the attacker is mildly sophisticated, and after making
    > the initial assault roots the box and installs a secure backdoor or
    > two. Is there any IDS capable of isolating data it cannot read,
    > except to monitor authorized port usage of a system or group of
    > systems? Not to complicate the question, but when the attacker is
    > using portal gates and all communications traffic is encrypted in
    > normal channels how can an IDS participate? Monitoring normal traffic

    > patterns seems a bit slow for detection.
    >
    > -
    > Mark Runion
    >
    >
    > ----------------------------------------------------------------------
    > -----
    >
    > ----------------------------------------------------------------------
    > -----
    >

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Adam Powers: "Re: ssh and ids"

    Relevant Pages

    • Re: ssh and ids
      ... Encryption remains the bane of network-based intrusion detection ... behavioral traffic analysis technologies go a long way toward solving some ... By observing the duration of a "flow" (read: a TCP socket or series of ... a behavior-based system can pinpoint those connections that ...
      (Focus-IDS)
    • RE: Building the Perfect IDS - blacklisting
      ... authenticate a packet than it does to generate a bogus packet, ... the DoS flood. ... Building the Perfect IDS - blacklisting ... one word: encryption. ...
      (Focus-IDS)
    • AW: audit perspective: proof that all connections are encrypted
      ... sshd only allows encrypted connections! ... doesn't accept any specified encryption, ... remote access devices only allow encrypted connections, not plaintext". ...
      (SSH)
    • RE: ssh and ids
      ... box is the termination point of the SSL tunnel. ... Subject: ssh and ids ... Your claim is only partially true Peter. ... Encryption remains the bane of network-based intrusion ...
      (Focus-IDS)
    • RE: ids inquisition
      ... Dozens of IDS companies out there are merketing millions of dollars ... worth of contracts consisting of NIDS and HIDS solutions, ... from an IDS perspective are at a network layer where encryption is not ...
      (Focus-IDS)